Authorities warned companies about Zeppelin ransomware attacks

August 18, 2022
FBI CISA Threat Advisory US Zeppelin Ransomware Cyberattacks Financial Malware Ransomware as a Service

CISA and FBI released a public advisory for US organisations, stating that threat actors have been deploying the Zeppelin ransomware, which is a threat that could encrypt files of several types after a successful attack.

Both federal law enforcement agencies also shared indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) to aid cybersecurity professionals in spotting and blocking such attacks from Zeppelin.

The FBI has spotted scenarios where Zeppelin operators executed their malware on several instances within its victim’s network. This capability resulted in the development of different file extensions and IDs for each example of an attack. Therefore, unfortunate victims will need several decryption keys.

 

Zeppelin is a Ransomware-as-a-Service operation whose payload went through several name alterations. The ransomware is called many names, such as Buran, VegaLocker, and Jamper.

 

Zeppelin’s connections have been active since 2019, targeting critical infrastructure, businesses such as tech firms, and defence contractors. Additionally, the ransomware operation heavily targets the healthcare and medical industries.

The ransomware is also notorious for stealing data for double extortion tactics and creating ransom requests in cryptocurrencies such as Bitcoin. The ransomware operators’ typical demands in each attack range from several thousand dollars to over a million dollars.

The FBI then asked the IT administrators who detected the Zeppelin ransomware within their enterprise networks to gather and share related information with their local offices.

According to the bureau, the valuable data gathered can help ID the hackers behind the ransomware gang, including the IP addresses, sample ransom notes, and communication services.

Furthermore, Bitcoin wallet information, decryptor files and sample of encrypted files will be studied by researchers if the admins shared Zeppelin’s activities.

The FBI also said they do not encourage the victims to pay the Zeppelin ransomware demands since it will only encourage the actors to conduct more attacks. The victims cannot guarantee that they will recover their data after paying the threat actors.

Paying such criminals will also likely cause more trouble for the future as several threat actors might copy the Zeppelin operators’ attack strategies.

About the author

Leave a Reply